No Rate Limiting Vulnerability & Bypasses
Hello guys👋👋 ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my seventeenth task I was given to research about No Rate Limiting Vulnerability.
What is Rate Limiting?
Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network.
If the number of requests you make exceeds that limit, then an error will be triggered. The reasoning behind implementing rate limits is to allow for a better flow of data and to increase security by mitigating attacks such as DDoS.
What is the importance of Burp Intruder for Rate Limiting?
Intruder is a powerful tool for carrying out automated customised attacks against web applications. It is highly configurable and can be used to perform a wide range of tasks to make your testing faster and more effective.
This feature of Burp Intruder makes it possible for us to test for rate limiting with ease. There are three methods with the help of intruder to test for rate limiting:
- Via email parameter:
1)Click on email sending feature(for eg: forgot password)
2)Enter email and intercept that request.
3)Send to intruder and select ‘your email’ parameter as an injection point!
4)Paste your email in the payload list 100 times.
5)Start an attack and you will be receiving 100 emails.
- Via q parameter
1)Click on email sending feature(for eg: forgot password)
2)Enter email and intercept that request.
3)Send to the intruder and select the ‘q’ parameter as an injection point!
4)Set payload type number and for testing purpose set number of payload 100
5)Start an attack and you will be receiving 100 emails.
- Via null parameter
1)Click on email sending feature(for eg: forgot password)
2)Enter email and intercept that request.
3)sent to intruder and select blank space as an injection point!
4)set payload type NULL Payload and for testing purpose set number of payload 100
5)Start an attack and you will be receiving 100 emails.
How to Bypass Rate Limiting?
Rate Limit protections can be bypassed by putting following headers in the request:
X-Forwarded-For:127.0.0.1
X-Forwarded:127.0.0.1
Forwarded-For:127.0.0.1
Forwarded:127.0.0.1
X-Forwarded-Host:127.0.0.1
X-remote-IP:127.0.0.1
X-remote-addr:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
Client-IP:127.0.0.1
X-Real-IP:127.0.0.1
Ali-CDN-Real-IP:127.0.0.1
Cdn-Src-Ip:127.0.0.1
Cdn-Real-Ip:127.0.0.1
CF-Connecting-IP:127.0.0.1
X-Cluster-Client-IP:127.0.0.1
WL-Proxy-Client-IP:127.0.0.1
Proxy-Client-IP:127.0.0.1
Fastly-Client-Ip:127.0.0.1
True-Client-Ip:127.0.0.1
You can use FakeIp to get these headers easily in your requests.
Source: https://github.com/TheKingOfDuck/burpFakeIP
Steps To Install:
- Go to site.
- Open fakeip.py
- Copy the whole file and save it as a python file in your system.
- Go to Burpsuite > Extender >Extensions > Add
Select extension type as Python
Select the file we saved as extension file
In the case you got error while trying rate limiting follow the following steps:
● Go to VPN and change the IP (This is because your IP might be blocked and will not work)
● Again Capture the same request and send it to the intruder.
● In positions Payload do right click and add the fakeip payloads and then start attack.
● Now if you are not getting rate limited then it is vulnerable.
How to mitigate No Rate Limiting ?
Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
Implement X-Rate-Limiting Header: We can set rate limiting with this header.
This is all for today’s writeup.
Thanks For Reading 😊
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/
